Tuesday, October 25, 2016

IOS apps leak the user information … Hacker

the Researchers Zscaler has published a report, compiled after a long observation of the behavior of applications for iOS and Android. On average, one quarter on devices that have installed the Zscaler solution, the total is 45 million different operations. Only 4% of them poured some confidential user data on the side, that is, the threat was recognized only 200,000 operations. Sensitive data under the researchers involve information such as phone number and email address, information about the location of the device, as well as any metadata (IMEI, MAC address, IMSI, network information, OS, SIM card and the device manufacturer).

oddly enough, it turned out that iOS apps send user data to the side more often than Android apps. So, the researchers write that during the quarter, there were 26 million operation, carried out a variety of iOS applications, and confidential information flowed in 0.5% of cases (130,000 operations). 72,3% of the leaked data contained information about the device, 27,5% contained geolocation information, and 0.2% personal user data.

the Majority (70%) of leaks were recorded on iOS devices in China and in the second place (20%) were South Africa. Also on the list were USA, UK and Ireland.

Figures for Android applications, in turn, are: the researchers recorded 20 million transactions during the quarter, of which only 0.3% were found to be hazardous (60,000 operations). During 58% of dangerous operations flowed different metadata, at 39.3% of cases the apps were leaked location data, and 3% of the transactions were disclosed to third parties confidential information.

most of the leaks occurred with device in the United States (55%), The UK (16%) and China (12%).

Analysts Zscaler warn that this problem can hardly be considered frivolous, because leakage of sensitive user information (even if it’s just metadata) can be intercepted and used by attackers. Such data may be of great help for the implementation of targeted phishing, smishing (phishing via SMS), DoS-attacks and so on.